Configure the RepositoryAuthenticationProvider
When using the JAAS login and a user can authenticate, by default the user will have or get role everybody. However, it is likely that you want more fine-grained control over which authenticated user is allowed what, see Delivery Tier Authorization Configuration.
This can be done by configuring the org.hippoecm.hst.security.impl.RepositoryAuthenticationProvider. which is the default provided org.hippoecm.hst.security.AuthenticationProvider, see Customize the Delivery Tier's Authentication Provider.
The org.hippoecm.hst.security.impl.RepositoryAuthenticationProvider takes the following configuration settings which can be overridden per HST site webapp in its hst-config.properties, see HST-2 Container Configuration.
### Hippo Login Module Authentication Provider configurations ### ## default properties for the RepositoryAuthenticationProvider ## # optional required userrole to be allowed to authenticate security.authentication.required.userrole = # default excluded standard provided userroles (prefixed with xm.) security.authentication.excluded.userrole.prefixes = xm. # , delimiter separating multiple excluded userrole prefixes security.authentication.excluded.userrole.prefixes.delimiter= , # default include only standard provided userroles (prefixed with xm.): effectively by default don't include any! security.authentication.included.userrole.prefix = xm. # by default strip the userrole prefix (if any) from the mapped role name security.authentication.strip.included.userrole.prefix = true # prefix to be added to produced role names (default no prefix added) security.authentication.role.prefix = ## common/shared properties for all Authentication Provider beans ## # default role to be added to anyone authenticated (if not already added): to be specified *without* possible role.prefix security.authentication.default.role = everybody ## properties only used for the deprecated jcrAuthenticationProvider/HippoAuthenticationProvider ## # the default domain name to use for querying and resolving role mappings security.authentication.role.domain = everywhere
The above default configuration effectively will map no userroles (both excluded and include prefix are by default "xm."), but will always add/return default role "everybody".
Therefore, to effectively make use of the role mapping (besides the authentication) feature, a project will need to customize/override a few of these configuration properties, see see Delivery Tier Authorization Configuration.
Assume a test project with a (minimal) example setup with the following configuration overrides in its hst-config.properties:
security.authentication.required.userrole = hst.site.user security.authentication.included.userrole.prefix = site.
This will require everybody logging in through a site to have at least the userrole hst.site.user assigned, and only will filter and map userroles of the authenticated user to role principals which userrole name starts with the site. prefix.
In the test project the following example configuration then can be used to set this up:
definitions: config: /hippo:configuration/hippo:userroles: /hst.site.user: jcr:primaryType: hipposys:userrole /site.admin: jcr:primaryType: hipposys:userrole /xm.cms.user: hipposys:userroles: operation: add value: [hst.site.user] /hippo:configuration/hippo:users/admin: hipposys:userroles: operation: add value: [site.admin] /hippo:configuration/hippo:groups/admin: hipposys:userroles: operation: add value: [site.admin]
The above yaml bootstrap configuration defines:
- userrole hst.site.user
- userrole site.admin
- the userrole xm.cms.user inherits (implies) hst.site.user
- the admin user and group have been granted the userrole site.admin
Now, with the above setup, HST role security can be used and enforced, for example for access to a specific sitemap item like:
definitions: config: /hst:hst/hst:configurations/demosite/hst:sitemap: jcr:primaryType: hst:sitemap /test: jcr:primaryType: hst:sitemapitem hst:authenticated: true hst:roles: [admin]
The above example sitemap item test will require authentication and only a user with the admin role principal will be allowed to access it : the admin user does get role principal admin because
- It has the userrole site.admin
- We configured a userrole prefix (mapping) security.authentication.included.userrole.prefix = site.
Because of the userrole prefix site. , only userroles starting with site. are included, and they are included by stripping of site., thus site.admin userrole translates into role admin.
Modify the default added role
By default, any authenticated user gets by default the role everybody added. If you want to modify this, say, to role siteusers through specifying in your hst-config.properties
security.authentication.default.role = siteusers
then make sure to also adjust the Servlet Configuration described at Delivery Tier Authentication to replace everybody with siteusers